What is it with the state of security that i’m seeing around me?

People are using weak passwords, or the same password for everything, and not only that. The people who are supposed to be responsible for security do not discourage or prohibit the use of such passwords. Hell, weak passwords are sometimes even encouraged. “Pick something that you’ll remember for sure, as long as it has at least one capital letter”. Then we end up with passwords like “Dog1234″ and then when the obligatory tri-monthly change comes a-knocking, we get “Cat1234″, because of poor user education and poor (or non-existant) complexity rules.

If we have something like full-disk encryption, chances are it’s synchronized with windows, using a single sign-on. Or then it’s a PIN code or something that’s way too easy to guess or deduce.

Security is just simply abhorent everywhere i look. And i’m not sure how to start changing it. Other people are making the policies, i can only offer suggestions, and complement users on good choices (and i’ve seen some of those too!). I’m more for positive feedback, but sometimes i just want to scream. It’s like nobody cares that a fucking VPN password only has single factor authentication, and the password is like December2009.

“But it has numbers and a capital letter in it!”

Abstract

Most people are either not aware, or blissfully ignorant that the data they carry, be it analog or digital, is significant or important to anyone in sense. If it’s not a contract, or other clearly classified document or file, people just don’t care. But for a social engineer, this speck of data could be all he needs to penetrate your corporate structure and network.

Data overload

How many gigabytes do you have on you right now? Well, i can list the following:

• 30GB iPod Video
• Laptop with a 40GB disk
• 8 GB memory stick
• 8 GB microSD card in my phone
• Caselogic full of CD’s and DVD’s, plus a 250 GB mobile hard drive

That’s what i have on my person right now. Now, it should be noted, that the actual amount of data on these media is only a fraction of that, but as an example.

How about analog stuff? Most of us carry business-cards in their wallet (along with other cards, receipts, etc.). Some oldschool yahoos still have a bunch of papers in folders, binders and other assorted archiving methods, that they lug around town every day.

If you look at what you have, you could very quickly conclude that there isn’t anything crucial that you have on you. No contracts, no lists of people’s salaries or who’s getting fired next. No passwords on small post-it notes (and some of you do that too…). So what could be compromised if you lost one of these items, huh? Not a lot? Think again.

One man’s garbage is another man’s…

…fucking treasure-trove. What could an adept social engineer do with a business-card? Well, he could assume your personality for purposes of calling someone, or even staging a meeting. The information contained on a simple business card, is usually: name, title, address, telephone numbers(s), e-mail address. Let’s go through these and make up plausible scenarios for their usage.

If you’re just out trolling for a random target, a business card with these data could be all you need. Based on this, you can do additional network searches, and find out more about you, the company or what you do. Maybe you have a blog, or maybe your calendar is openly viewable on Google Calendar. You’re most certainly on facebook, and since you have a business card, you probably have an extensive “net-history” to begin with. All this is fuel for the flame of a social engineer. Using this data, they can get to friends, family, co-workers, ex-partners with a grudge, old school-buddies or teachers, etc.  All ways of getting to the good stuff, of whatever data it is that the social engineer is looking for.

A telephone number will give you a lot of things. First, in certain cases, it can be used to deduce your mobile carrier. And through that, find out who your company deals with for telecommunications perhaps. Using that data, an attacker could assume your personality even better, because he knows something detailed about you. A good speaker could call up a secretary and with the proper words, get what they want, just because they know a little bit of “insider information”. A landline number (for those of us who still use those things), could give you an extension number, or a system of extension numbers. That way, you could exploit the company switchboard, operator or even voicemail. It’s unbelieavable, but in some cases, you can get to someone’s internal voicemail just by knowing their extension, name, and the “internal” phone number to call. Some systems are open to the outside world, because people may need to get to their voicemail from their hotel, mobile phone, home, etc.

The e-mail address will give you the method of naming. Is it first.last@company.com, or something else. This again is information you can exploit, while calling someone within the company, or perhaps the service desk, pretending to be a lost user without a password.

Realizing value

This is the core problem. People don’t view these things as risks. And neither do heads of corporations, or in the worst case, the security department (if you have one). How many buildings you work in actually have a method of making sure nobody unauthorized gets in to the office? How is physical security in general? How easy is tailgating?

I’ll give you a hypothetical example. A door has a codepad, which requires a magnetic keyfob, and a four digit pin-code to get in. Now, even without these, getting in is childsplay. Just tailgate. At any one time, betwen two and five people walk in with the same opening. There’s no reception desk at this door, but there is a camera. How often have you been confronted by someone asking you to show their ID? Not a single time. Most people don’t even carry their ID’s anywhere visible (which is a good thing on it’s own). Get to the elevator. Someone else uses their keyfob to activate the keypad. They hit their floornumber, and you hit your number right after, and you won’t need your own swipe to get to the floor you want. Get in to the actual offices without a key, again, tailgating. Pretend you’re from another office or something, based on the information you have gotten from a business card you found, or the company website. In most cases, you won’t be challenged. In most cases, people will open the door for you, and get you coffee if you’re nice and personable.

There have been cases where a hacker, impersonating a service representative, or helpdesk person, has actually carried out hardware from the front-door, and even had help with doors.

One of the greatest fallacies of all time is that “people won’t go through all that trouble to do that!”. You’d be amazed at what people are willing to do.

Treat every bit of data you carry on yourself as important. If you don’t, eventually someone smart enough is going to come along and exploit that. For fun, profit or something inbetween. Maybe just because he can.

And this is not even to mention what should be plainly obvious: Losing any bit of digital data might be really really bad. A hard disk might contain not only your files, but log-files that contain ip-adresses or in the worst case, passwords to internal or external systems.  The next time you lose something, take it seriously. The next time someone asks you for something, be curious as to the reason of his inquiry. We already stream out copious amounts of data that used to be personal, using social networks such as Facebook, Friendster, Twitter, etc. Don’t make it too easy for the badguys, huh?

Twitter has today been the target of a rather crippling DDOS, which has left the site down for several hours, according to Pingdom and Netcraft.

I haven’t seen any word as to the attacker, and that got me to wonder:

Is there politics involved in DDOSes? Twitter knows exactly who’s been hitting their sites, they see the source ip:s. Sure, they might’ve gone through a bunch of zombies here and there, or a botnet or something, but i’m pretty sure they have an idea of what is going on. Can they tell us who it was?

Let’s play with the idea that it was Iran, even governmental forces in Iran who wanted to show Twitter who is the king of the hill? Twitter was and has been instrumental in the dissemination of information from the botched elections in Iran not long ago. Twitter has been blocked in Iran by the government, but there are also other groups working to provide twitter to Iranians, through proxies and anonymizers. I’m not gonna get in to this issue now; the blocking of people from sites so they can’t talk freely, that’s an issue for a different post.

Instead i’m wondering whether Twitter can actually disclose the attackers, should they  know them? Or does foreign policy or something else dictate how it’s done? I mean, twitter delayed their service break at the request of the government, so that reporting from Iran could keep on going.

Who knows, but i’d be willing to bet at least someone is thinking about this issue. Can you publicly blame someone, if you are absolutely sure it was them? Or does it fall under the umbrella of politics?

Ok, let’s get the facts straight here. Medeco, a “high-security” lock manufacturer founded in 1968 tries to hide the fact that their “high-security” locks are not foolproof. Wikipedia has a page on Medeco, and when someone tries to add a section on the weaknesses found in their “high-security” locks, it gets removed. Also it appears the history page is wiped clean, as well as the discussion, since i can’t find any of the edits (makes it harder to restore!), or any whine or gripe on the subject. There was one comment, but my feeling is that there have been much more.

Medeco locks are used in various high-security places, such as government organisations etc. The only problem is, the locks have a weakness which makes them not at all secure, since the security can be bypassed without breaking anything.

The method is known as bumping, and was invented sometime in the 1970′s in Denmark. When you bump a lock, you use a specially crafted key that is inserted in to the lock, then “bumped” inwards, causing the driver pins to jump up past the shear-line, so you can turn the cylinder freely. The lock is not harmed, nor will any discernible marks be left on the lock.

Most (but probably not all) Medeco locks are susceptible to this technique, and are therefore, not high-security locks, and i recommend nobody do any business with them, until they correct and/or admit that they’ve been hiding the truth. I know it’s hard guys… you’ve got a product that you know is flawed, and you’ve sold millions of them to like.. the government, and you don’t want to get reamed. I get that. I don’t enjoy getting reamed. But you gotta fess up when we are talking about a product that is supposed to provide security. People stake life and limb on these things.

If you want a lock that is bump-proof, and also, comes from my country of Finland, get an Abloy Disc Tumbler lock, which are very common here. They are not bumpable, and take a considerable amount of time and expertise to pick, requiring special tools and skill. Unlike medeco locks which take a filed piece of metal, and in some cases a screwdriver. Whoo!

Some sources here:
Wiki – Disc Tumbler Locks
Wiki – Lock Bumping
Wiki – Medeco

Medeco Bumping at Defcon In this link, an 11 year old bumps a Medeco M3 High-security lock. On this page from 2006, they say their locks are virtually bump-proof. Virtually.

Hell, they even host courses on what lock bumping and the risk it presents..

A word on legality: The posession of lockpicks or other tools that can be used to gain unlawful access, with criminal intent, to the property owned by someone other than you is a crime punishable by a fine in Finland.

I am not a lawyer, so don’t listen to me, but that would mean that you could have these tools for your personal practice. Lockpicking is a hobby in many countries (haven’t heard much of it in Finland), and why couldn’t it be? Picking a lock could be a useful skill in an emergency, when someone is locked inside a dangerous area, or if you are there yourself. Or just as a general hobby. I mean shooting can also be a hobby…

Here is the law:

28 luku, 12 a § (24.5.2002/400)
Murtovälineen hallussapito
Joka ilman hyväksyttävää syytä pitää hallussaan sellaista avainta toisen lukkoon taikka tiirikkaa tai muuta välinettä, jota voidaan perustellusti epäillä pääasiassa käytettävän tunkeutumiseen toisen hallinnassa olevaan suljettuun tilaan rikoksen tekemistä varten, on tuomittava murtovälineen hallussapidosta sakkoon.

This means, if you for instance, carry some tools that can be used to pick locks, in a public area, without a reasonable reason, you can be fined. This means, if you are not coming or going to a lock-picking event/hobby club etc.

A good site on this whole hobby, is can be found here, at the “Haittalevy” blog.